Solution Brief: XG Firewall

Transcription

1 Solution Brief: XG Firewall There s an evolution in firewalls currently underway that s very different from any previous generation. The threat landscape has shifted radically and as a result, the complexity and number of security systems required to combat it has increased dramatically. And if that wasn t enough, collectively these security solutions generate an overwhelming amount of isolated data that is impossible to correlate. This has created a perilous situation that requires a radical new approach to network security one that can enable security systems to work together; that simplifies and streamlines everyday workflow; and can parse enormous volumes of information to focus attention on exactly what s important. It requires a different approach to security integration, innovations in management, and new ways of identifying and responding to risks and threats.

2 Firewalls Today Early firewalls operated at lower layers of the network stack, providing basic routing and packet filtering based on port and protocol inspection, to forward or drop the traffic. These firewalls were effective at stopping very basic attempts by hackers to enter the network. Network security has been forced to evolve, as attacks have shifted from attacking the network directly to infecting systems inside the network, typically by exploiting vulnerabilities in applications and servers; or by taking advantage of social engineering to gain a foothold through and compromised websites. Over time, organizations have been forced to add additional network security appliances to their network perimeter for intrusion prevention, web filtering, anti-spam, remote access (VPN), and web application firewalls (WAF). The UTM (Unified Threat Management) appliance evolved out of the burden of managing an array of network security products UTM solutions allowed organizations to consolidate everything into a single appliance. Firewall technology has evolved as well, moving up the stack to Layer 7 and beyond to be able to identify and control specific application traffic. Firewalls also grew to incorporate technologies to more deeply inspect the contents of network packets and look for threats. They also gained the ability to control traffic based on the originating user or application, not just the type of traffic. This shift from ports and protocols to applications and users has spawned a new category of network protection: nextgeneration firewalls. A next-generation firewall is one that includes traditional stateful firewall inspection along with deep packet inspection that includes Intrusion Prevention, application awareness, user-based policies, and the ability to inspect encrypted traffic. Network security continues to consistently change and grow to meet the ever-evolving threat landscape. Modern threats like ransomware and botnet malware are more advanced, evasive, and targeted than ever before. These advanced persistent threats (APTs), use techniques that create a new zero-day threat with every instance, and can be extremely challenging for most signature-based systems to detect until it s too late. In a recent study, 83% of organizations surveyed had compromised systems on their network that were either victims of an APT or botnet. This is a pervasive and widespread problem. The nature of the current threat and network landscape is creating the need for fundamental changes in the approach to network security. First: Network security systems must now integrate new technology to identify malicious behavior in network payloads without the use of traditional antivirus signatures. Technologies like sandboxing that, until recently, were only affordable for large enterprise, have become extremely affordable for small and mid-sized organizations, and are now an essential part of an effective defence against modern malware. Solution Brief Document February

3 Second: Security systems that used to be isolated and independent, such as the firewall and endpoint, now need to be integrated and work together to detect, identify, and respond to advanced threats quickly and efficiently before they can cause significant damage. Third: New dynamic application control technologies are required to properly identify and manage unknown applications, given the growing ineffectiveness of signaturebased engines to identify the latest protocols, custom applications, and those applications increasingly reliant on generic HTTP/HTTPS protocols. To make matters worse, most modern firewall products have become increasingly complicated, often leveraging several separate but loosely integrated solutions to tackle different threat vectors and compliance requirements. As a result, the management burden for the average network administrator has reached unsustainable levels and the amount of information and data these systems produce is simply indigestible. In fact, in a recent Firewall Satisfaction Survey of IT administrators, a number of common issues were identified with most firewalls in use today: They require too much time spent digging to get the necessary information They do not provide adequate visibility into threats and risks on the network They have plenty of features, but make it too difficult to figure out how to use them Sophos XG Firewall Sophos XG Firewall has been designed from the ground up to address today s top problems with existing firewalls, while also providing a platform designed specifically to tackle the evolving threat and network landscape. As a new entrant to the next-gen firewall space, Sophos XG Firewall brings a fresh approach to the way you manage your firewall, identify and respond to threats, and monitor what s happening on your network. It s packed with innovative modern technology that makes it the best choice for protecting your organization from today s latest threats, while offering all the insight and controls you need to manage risk and productivity, simply and easily. Intelligent Insights It s critically important for a modern firewall to parse through the mountain of information it collects, correlate data where possible, and highlight only the most important information requiring action ideally before it s too late. Solution Brief Document February

4 Control Center XG Firewall s Control Center provides an unprecedented level of visibility into activity, risks, and threats on your network. It uses traffic light style indicators to focus your attention on what s most important: If something s red, it requires immediate attention. If something is yellow, that s an indication of a potential problem, and if everything is green, no further action is required. And every widget on the Control Center offers additional information that is easily revealed simply by clicking that widget. For example, the status of interfaces on the device can be easily obtained by simply clicking the Interfaces widget on the Control Center. Solution Brief Document February

5 The host, user, and source of an advanced threat is also easily determined simply by clicking the ATP (advanced threat protection) widget in the dashboard. System graphs also show performance over time with selectable timeframes, whether you want to look at the last two hours to the last month or year. And they provide quick access to commonly used troubleshooting tools. The live log viewer is available from every screen with just a single click. You can open it in a new window so you can keep one eye on the relevant log while working on the console. It provides a nearly real time five-second refresh, and color-coded log lines and one-click access to the firewall rule table or packet capture make troubleshooting quick and easy. Solution Brief Document February

6 If you re like most network admins, you ve probably wondered whether you have too many firewall rules, and which ones are really necessary versus which ones are not actually being used. With Sophos XG Firewall, you don t need to wonder anymore. The Active Firewall Rules widget shows a real-time graph of traffic being processed by the firewall by rule type: Business Application, User, and Network Rules. It also shows an active count of rules by status, including unused rules where you could have an opportunity to do some housekeeping. As with other areas of the Control Center, clicking any of these will drill down, in this case, to the firewall rule table sorted by the type or status of rule. Solution Brief Document February

7 Risk Assessment and Reports User Risk Studies have proven that users are the weakest link in the security chain, and patterns of human behavior can be used to predict and prevent attacks. Also, usage patterns can help illustrate how efficiently corporate resources are utilized and if user policies need to be fine-tuned. The Layer 8 technology over Sophos firewalls treats user identity as the eighth layer or the "human layer" in the network protocol stack. This allows administrators to uniquely identify users, control the internet activity of these users in the network, and enable policy-setting and reporting by username. User Threat Quotient (UTQ) helps a security administrator spot users who pose a risk based on suspicious web behavior and advanced attacks triggered from their hosts. The risk could be a result of unintended actions due to lack of security awareness, a malware infected host, or the intentional actions of a rogue user. Knowing the user and the activities that caused risk can help the network security administrator take required actions to avoid such risks. Application Risk It s imperative today that your firewall provide essential insights into the applications traversing the network and potential risks they pose. XG Firewall s application awareness and control offers complete visibility into which applications are being accessed within the network and stops sophisticated application-layer threats right at the network perimeter. The Application Risk Meter provides an at-a-glance indication of the overall risk associated with various applications, and is calculated based on individual risk associated with a specific application and the number of hits on that application. If Solution Brief Document February

8 your App Risk Meter is green, you have nothing to worry about. However, if it creeps into the red, you have risky or illegal apps in use on your network and you need to take action and implement an application control policy for your riskiest users. Rich On-Box Reporting XG Firewall is unique among firewall and UTM products, providing comprehensive, rich on-box reporting at no extra charge. Of course, we also offer a centralized off-box reporting platform, Sophos iview, if you prefer to do your reporting on a separate server. But most small and mid-sized organization appreciate the ability to get full historical reporting on a single appliance without paying extra. Solution Brief Document February

9 XG Firewall provides a comprehensive set of reports, conveniently organized by type, with several built-in dashboards to choose from. There are literally hundreds of reports with customizable parameters across all areas of the firewall, including traffic activity, security, users, applications, web, networking, threats, VPN, , and compliance. You can easily schedule periodic reports to be ed to your or your designated recipients, and save reports as HTML, PDF, or CSV. Simpler Policy Management A commitment to simplicity has always been a key part of the Sophos DNA. But perhaps more importantly, Sophos has a rare willingness to embrace change and take bold steps to do things differently in the interest of providing both better protection and a better user experience. When we launched the Sophos XG Firewall, with an all new user interface, we had a unusual and exciting opportunity for a fresh start. We not only embraced that opportunity we made the most of it. The UX design team invested significant effort making XG Firewall look great, as well as addressing some of the most significant problems with managing firewalls today. Unified Policy Management Managing a firewall can be incredibly challenging, with multiple policies spread across a variety of functional areas often with several different rules required to provide the necessary protection. With the new XG Firewall, we took the opportunity to completely re-think the way policies are organized and managed. Instead of having to hunt around the management console looking for the right policies, we collected all policy management into a single unified screen. You can now view, filter, search, edit, add, modify, and organize all your firewall rules in one place. Solution Brief Document February

10 Policy types for users, business applications, and networking make it easy to view only the policies you need while providing a single convenient screen for management. Indicator icons provide important information about policies such as their type, status, Heartbeat requirements, and much more. Natural language descriptions help you understand what a policy is doing in simple language long after you ve configured it. Layer-8 User-Based Policy XG Firewall integrates our patented Layer 8 identity-based policy technology, enabling user-level controls over applications, bandwidth, and other network resources, regardless of IP address, location, network or device. It literally takes firewall policy to a whole new layer. This user-based policy offers full Layer 8 control over applications, websites, categories, and traffic shaping (Qu s) all in a single panel. With most other firewall products, this would require four or five different policies, all on different screens. Our integrated policies dramatically reduce firewall rule counts and make policy management a lot easier. Flexible authentication options enable you to easily know who s who, and include directory services such as Active Directory, edirectory, and LDAP, as well as NTLM, RADIUS, TACACS+, RSA, client agents, or a captive portal. And Sophos Transparent Authentication Suite (STAS) provides integration with directory services like Microsoft Active Directory for easy, reliable, transparent single sign-on authentication. Solution Brief Document February

11 Enterprise-Grade Secure Web Gateway Web protection and control is a staple in any firewall, but unfortunately, it feels like an afterthought in most firewall implementations. Our experience building enterprisegrade web protection solutions has provided us with the background and know-how to implement the kind of web policy control you would normally only find in enterprise SWG solution costing ten times as much. We ve implemented an all-new top-down inheritance policy model, which makes building sophisticated policies easy and intuitive. Pre-defined policy templates, available right out of the box, are included for most common deployments such as typical workplace environments, education CIPA compliance, and much more. It means you can be up and complaint immediately with easy fine-tuning and customization options at your fingertips. In fact, we know that web policy is one of the most frequently changed elements on a dayto-day basis in your firewall which is why we ve invested heavily in making it easy for you to manage and tweak based on your user and business needs. You can easily customize users and groups, activities (comprised of URLs, categories, and file types), actions (to block, allow, or warn), and add or adjust time-of-day and day-of-week constraints. It s powerful web policy made simple. Solution Brief Document February

12 Business Application Templates Anyone who s tried to setup a web application firewall policy for something like Exchange, SharePoint or a web server knows how challenging and issue-prone it can be. The range and number of settings is bewildering. But pre-defined policy templates can help you protect common business application servers quickly, easily, with confidence. Simply select your desired server type from the drop-down list. Once you select one of the common business applications you need to protect with your firewall, the configuration screen is prepopulated with the appropriate fields to make your job a lot simpler. You then simply enter a few details like the domain, path, and server information, and you re done. Compare this with having to setup a WAF policy in any other product which usually requires several screens. It s complex and confusing. Not with XG Firewall. Advanced Threat Protection and Synchronized Security Industry experts agree: proper protection against today s cyber threats requires defensein-depth, or layered defense that includes network traffic analysis, payload analysis, and endpoint behavior analysis. The age of signatures is gone. Today s more targeted and evasive threats require a coordinated effort that includes behavioral analysis and exploit detection and prevention to be effective. Advanced Threat Protection Advanced threat protection is essential for identifying APTs, bots, and other malware lurking on your network. XG Firewall uses a sophisticated mix of malicious traffic detection, botnet detection, and command and control (C and C) call-home traffic detection. It combines IPS, DNS, and URL analysis to identify call-home traffic and immediately identify not only the infected host, but the user and process. Solution Brief Document February

13 This sophisticated underlying protection technology provides a very simple but helpful view of advanced threats on the network. As mentioned earlier, the XG Firewall Control Center presents a simple traffic-light style indication of advanced threats on the network. When it s red, that means the firewall has identified and blocked an advanced threat. And if you re using Sophos Synchronized Security with your XG Firewall, it can go one step further and isolate that compromised system until it s cleaned up to prevent any data leakage or further communication with hacker s servers. Sandstorm Sandboxing With advanced threats like ransomware becoming more targeted and evasive, there s a dire need for behavior-based payload analysis. Up until recently, the sandboxing technology required to provide this protection was only affordable by the largest enterprises. But now, thanks to cloud-based sandboxing solutions like Sophos Sandstorm, it s incredibly affordable for even the smallest business. For the first time, small and mid-size organizations get the same enterprise-grade sandboxing protection, but without the enterprise price tag. Sophos Sandstorm provides the ultimate cloud sandboxing solution, one that is simple and affordable, while providing essential protection from the latest zero-day threats lurking in and web payloads. It s tightly integrated into XG Firewall and incredibly simple to setup, but because it s cloud-based there s no additional software or hardware required, and no impact on performance of your firewall. Suspicious attachments and web downloads are automatically analyzed and detonated in a cloud sandbox to determine their behavior before they are allowed onto your network. Sophos Sandstorm provides an at-a-glance account of payload analysis on the XG Firewall Control Center and rich detailed reporting on all the files and threats analyzed and processed by your firewall. Solution Brief Document February

14 While Sandboxing technology is becoming more commonplace, XG Firewall and Sophos Sandstorm deliver the best protection made simple, at a very aggressive price, making it affordable and effective for everyone. Security Heartbeat To stop sophisticated threats, you need security products that work together as a system protecting your network, users and data across all points of the network. With Sophos Synchronized Security, that s exactly what you get. Sophos Security Heartbeat shares intelligence in real time using a secure link between your endpoints and your firewall. This simple step of synchronizing security products that previously operated independently creates more effective protection against advanced malware and targeted attacks. Security Heartbeat can not only identify the presence of advanced threats instantly, it can also be used to communicate important information about the nature of the threat, the host system, and the user. And perhaps most importantly, Security Heartbeat can also be used to automatically take action to isolate or limit access to compromised systems until they can be cleaned up. It s exciting technology that is revolutionizing the way IT security solutions identify and respond to advanced threats. Solution Brief Document February

15 Security Heartbeat for managed endpoints behind your firewall can be in one of three states: Green Heartbeat status indicates the endpoint system is healthy and will be allowed to access all appropriate network resources. Yellow Heartbeat status indicates a warning that a system may have a potentially unwanted application (PUA) or other issue. You can choose which network resources a yellow heartbeat is allowed to access until the issue is resolved. Red Heartbeat status indicates a system that is at risk of being infected with an advanced threat and may be attempting to call home to a botnet or command-andcontrol server. Using the Security Heartbeat policy settings in your Firewall, you can easily isolate systems with a red heartbeat status until they can be cleaned up to reduce the risk of data loss or further infection. Only Sophos can provide a solution like Security Heartbeat because only Sophos is a leader in both endpoint and network security solutions. While other vendors are starting to realize this is the future of IT security and are scrambling to implement something similar, they are all at a distinct disadvantage: they don t own both an industry leading endpoint solution and an industry leading firewall solution to integrate together. Lightning Performance Today s networks are under increasing performance pressure. The statistics are mindboggling: reports indicate devices outnumbering people 3 to 1, global IP traffic tripling over the next five years, smartphone traffic expecting to exceed that of PCs within the next few years, and massive increases in the use of cloud services, VoIP, video, and virtual meetings already happening. It s no wonder that typical firewalls are buckling under the pressure. That s why it s important to leverage new technologies that can increase throughput to ensure top performance without sacrificing security and protection. FastPath Packet Optimization FastPath packet optimization dramatically improves firewall throughput performance by automatically setting trusted and secure packets on the FastPath, which means they don t have to be processed by the firewall policy engine for identification and destination. Instead, the firewall forwards these packets directly to the security engine for scanning. Solution Brief Document February

16 To better illustrate the FastPath concept, think of an airport. You arrive, and first someone verifies your identity and ticket to determine your destination and whether you re permitted to travel there. Packets are like groups of people, and if you have a large family or group traveling together, there s no need for everyone to go through this identity and destination verification step individually. After the leader of your traveling group has been cleared, the rest of this trusted group can proceed directly to security screening they are put on the fast path. This removes a heavy load from the firewall policy engine and results in a significant increase in firewall throughput. The next step at the airport is to go through security screening. And unlike some other firewall vendors, we don t enable anyone (or any packets) to slip past this important part of the process without the appropriate review. Some vendors use stream scanning, which compromises malware scanning effectiveness in the interest of improving performance. As you might imagine, at Sophos, we don t make compromises on protection, so all content is subjected to a thorough security scan by one or two different antivirus engines at your request. So, with Sophos XG Firewall, you re getting the best performance and the best protection without compromise. Industry Leading Appliance Hardware Sophos XG Series hardware appliances are purpose-built with the latest multi-core Intel technology, generous RAM provisioning, and high-speed solid-state storage to provide future-proof performance for the ever-increasing demands on your network. Whether you re protecting a small business or a large data center, you re getting industry-leading performance at every price point. Miercom, a leading independent test center, recently conducted a comparative test of UTM/next-gen firewall appliances from major network security vendors, including Sophos, Fortinet, Check Point, Dell SonicWALL, and WatchGuard. Miercom ran an extensive set of tests, including raw firewall throughput at a variety of real-world packet sizes. We were pleased with the results, as our XG 135w outperformed similar competing models in all tests by a significant margin. The Sophos XG 135w beat the competing average by 67.7%. Solution Brief Document February

17 Throughput Performance Firewall Byte Throughput (Mbps) Sophos XG 135W Check Point 2200 Dell SonicWall TZ600 Fortinet FortiGate 90D WatchGuard M200 Competitor Average Source: Miercom March 2016 Miercom also measured performance under real-world conditions, with a variety of important security features enabled, such as IPS, application control, antivirus, and IPS. The Sophos XG 135w ranked at the top of every test, including the most demanding: a test in which all security features enabled. It outpaced competitors by 31.3%. With modern web applications placing increasing demands on firewall connection limits, Miercom also ran a series of demanding connection tests, which are ideal for revealing performance bottlenecks imposed by inadequate RAM and processing speed. Again, the Sophos XG 135w provides outstanding value with its high-performance Intel multi-core technology and generous amounts of RAM, you ll have an order-ofmagnitude advantage over competing Firewalls. Maximum Concurrent Connections Per Second Firewall vs UTM Concurrent Connections Per Second (CCPS) 9,000,000 8,000,000 7,000,000 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 0 Sophos XG 135W Check Point 2200 Dell SonicWall TZ600 Fortinet FortiGate 90D WatchGuard M200 Competitor Average Firewall 8,380, , ,994 1,500,000 1,283, ,999 UTM 8,370, , ,992 1,490, , ,998 Source: Miercom March 2016 The full report is available here. Solution Brief Document February

18 Summary You ve seen how Sophos XG Firewall is addressing today s top problems with existing firewalls, by providing a fresh new approach to the way you manage your firewall, respond to threats, and monitor what s happening on your network. Be prepared for a whole new level of simplicity, security and insight. Try XG Firewall online for free. United Kingdom and Worldwide Sales Tel: +44 (0) sales@sophos.com North American Sales Toll Free: nasales@sophos.com Australia and New Zealand Sales Tel: sales@sophos.com.au Asia Sales Tel: salesasia@sophos.com Oxford, UK Copyright Sophos Ltd. All rights reserved. Registered in England and Wales No , The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners SBD-NA (MP)